Palo Alto HA

What Is HA Synchronization?

Version 8

This post explains the information that is synchronized between cluster members, and is applicable for both Active-Passive and Active-Active deployments.

 

Control Plane Synchronization Over HA1 link

  • Configuration: Configuration changes to either active or passive unit are synchronized to peer device.
  • Tabs Synchronized: Policy, Objects and Network

Dataplane Synchronization over HA2 Link

  • Session states
  • IPSec SAs
  • Routing tables
  • ARP tables

Objects Not Synchronized

  • Device tab, any config that is specific to a device such as management config in Setup and High Availability are not synchronized.
  • Application Command Center (ACC) and log data is not synchronized.

CLI commands to perform a commit sync manually

  • Synchronize Running Configuration

>request high-availability sync-to-remote running-config

  • Force the system to synchronize objects that are not saved as part of the system configuration, for example custom block and logon pages. This process operates over the HA control link.

>request high-availability sync-to-remote disk-state

  • Manually sync the runtime session state. This is normally automatically done, but if needed this command can be executed to force the synchronization of the session table

>request high-availability runtime-state

 

Active to Passive Configuration Sync Failing for High Availability

Version 3

Issue

The active to passive configuration synchronization is failing between the HA pair of Palo Alto Networks devices.

 

Cause

The issue may be caused by an Jumbo Frame settings mismatch. On the passive firewall,  check the status of the HA-SYNC job:

> show jobs id 280

 

Enqueued ID Type Status Result Completed

————————————————————————–

2013/03/20 11:59:35 280 HA-Sync FIN FAIL 12:00:01

Warnings:

Details:device: device is not in jumbo-frame mode but interface ae1.518 mtu is greater than 1500

interface configuration error

Commit failed

 

The HA-Sync error message, as shown above, indicates the problem.

 

Resolution

Configure both active and passive Palo Alto Networks firewalls to have Jumbo Frame setting enabled. For the example above, the passive firewall needs to have the Jumbo Frame enabled.

  1. Go to Devive > Setup > Session

In the Session Settings section, check the Enable Jumbo Frame option.

 

About these ads
About

fwknowledge.wordpress.com

Tagged with: , ,
Posted in Palo Alto

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: